top of page
Search

COBIT 5 (PART-3)

  • Writer: Abhilasha
    Abhilasha
  • Jul 8, 2024
  • 4 min read

COBIT 5 for Information Security


Information

Information is a key resource for all enterprises. It is created, used, retained, disclosed, and destroyed. Technology plays a crucial role in these processes and is becoming increasingly pervasive in business and personal life.


Enterprise Benefits

Enterprises and their executives strive to:

  • Maintain quality information to support business decisions.

  • Generate business value from IT-enabled investments by achieving strategic goals and realizing business benefits through effective and innovative use of IT.

  • Achieve operational excellence through reliable and efficient application of technology.

  • Maintain IT-related risk at an acceptable level.

  • Optimize the cost of IT services and technology.


Realizing Benefits for Enterprise Stakeholder Value

Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets. Key points include:

  • Enterprise boards, executives, and management must embrace IT as a significant part of the business.

  • Legal, regulatory, and contractual compliance requirements related to the use of information and technology are increasing, and breaches threaten value.

  • COBIT 5 provides a comprehensive framework to assist enterprises in achieving their goals and delivering value through effective governance and management of enterprise IT.


By adopting COBIT 5, organizations can ensure they manage information and technology effectively, align IT with business goals, and comply with regulatory requirements, ultimately creating value for stakeholders.


Governance and Management

  • Governance (EDM): Ensures that stakeholder needs, conditions, and options are evaluated to determine balanced objectives, sets direction through prioritization and decision-making, and monitors performance and compliance.

  • Management (PBRM): Plans, builds, runs, and monitors activities in alignment with the direction set by the governance body to achieve enterprise objectives.


Drivers

The major drivers for the development of COBIT 5 for Information Security include:

1. Enterprise Context for Information Security:

  • The need to describe information security within the context of an enterprise. 2. Risk Management:

  • Keeping risks at acceptable levels.

  • Ensuring system and service availability. 3. Compliance:

  • Complying with relevant laws and regulations. 4. Alignment with Standards:

  • Connecting to and aligning with other major standards and frameworks. 5. ISACA Integration:

  • Linking together all major ISACA research, frameworks, and guidance.


Benefits

Using COBIT 5 for Information Security offers numerous benefits:

1. Reduced Complexity and Cost-Effectiveness:

  • Simplifies integration of information security standards, leading to cost savings. 2. Increased User Satisfaction:

  • Enhances user satisfaction with information security arrangements and outcomes. 3. Improved Integration:

  • Better integration of information security within the enterprise. 4. Informed Risk Decisions:

  • Promotes risk awareness and informed risk decisions. 5. Enhanced Security Measures:

  • Improves prevention, detection, and recovery processes.

  • Reduces the impact of security incidents. 7. Support for Innovation:

  • Enhances support for innovation and competitiveness. 8. Cost Management:

  • Better management of costs related to the information security function. 9. Better Understanding:

  • Improves the overall understanding of information security.


Information Security Defined

ISACA defines information security as:

Ensuring that within the enterprise, information is protected against:

  • Disclosure to Unauthorized Users (Confidentiality): Preventing unauthorized access to information.

  • Improper Modification (Integrity): Protecting information from being altered inappropriately.

  • Non-Access When Required (Availability): Ensuring information is accessible when needed.


Using COBIT 5 Enablers for Implementing Information Security

COBIT 5 for Information Security provides specific guidance related to all enablers, which include:

1. Information Security Policies, Principles, and Frameworks:

  • Guidance on creating and maintaining policies, principles, and frameworks. 2. Processes:

  • Information security-specific details and activities integrated into processes. 3. Organizational Structures:

  • Information security-specific structures to support governance and management. 4. Culture, Ethics, and Behavior:

  • Factors that influence the success of information security governance and management. 5. Information:

  • Specific types of information relevant to information security. 6. Services, Infrastructure, and Applications:

  • Capabilities required to provide information security functions to the enterprise. 7. People, Skills, and Competencies:

  • Specific skills and competencies needed for information security.


Enabler: Principles, Policies, and Frameworks

Principles, policies, and frameworks refer to the communication mechanisms put in place to convey the direction and instructions of the governing bodies and management. This includes:

1. Principles, Policies, and Framework Model:

  • The model for creating and maintaining information security principles, policies, and frameworks. 2. Information Security Principles:

  • Core principles that guide the development and implementation of information security practices. 3. Information Security Policies:

  • Specific policies that outline the rules and guidelines for information security within the enterprise. 4. Adapting Policies to the Enterprise's Environment:

  • Tailoring information security policies to fit the unique environment and requirements of the enterprise. 5. Policy Life Cycle:

  • The stages of policy development, implementation, monitoring, and updating to ensure continuous relevance and effectiveness.


Information Security Principles

Information security principles communicate the rules of the enterprise. These principles should be:

  • Limited in Number: Only a few key principles to ensure focus and clarity.

  • Expressed in Simple Language: Easily understandable by all stakeholders.


In 2010, ISACA, ISF, and ISC2 collaborated to create 12 principles that help information security professionals add value to their organizations. These principles support three main tasks:

1. Support the Business:

  • Ensure information security aligns with business goals and objectives. 2. Defend the Business:

  • Protect the business from security threats and risks. 3. Promote Responsible Information Security Behavior:

  • Encourage a culture of security awareness and best practices.


Information Security Policies

Policies provide more detailed guidance on how to put principles into practice. Some examples of policies an enterprise may include are:

1. Information Security Policy:

  • Overall guidelines and rules for maintaining information security. 2. Access Control Policy:

  • Rules for managing access to information and systems. 3. Personnel Information Security Policy:

  • Guidelines for ensuring employees follow security practices. 4. Incident Management Policy:

  • Procedures for handling security incidents and breaches. 5. Asset Management Policy:

  • Guidelines for managing and protecting information assets.



COBIT 5 for Information Security describes the following attributes for each policy:

1. Scope:

  • Defines the range and boundaries of the policy. 2. Validity:

  • Specifies the time period during which the policy is effective. 3. Goals:

  • Outlines the objectives and desired outcomes of the policy.

 
 
 

Recent Posts

See All
PE internals

Linked Libraries and Functions Imported Functions: Definition: These are functions used by a program that are actually stored in...

 
 
 
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 

Comments

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page